Security and compliance
Ensure data security and compliance with data masking, monitoring, and change traceability
Security vulnerabilities in Redgate products
This page details previously-announced security vulnerabilities in Redgate's products. Our Product Security Policy details how we announce vulnerabilities.
2025
- CVE-2025-55182 ("React2Shell") did not affect any of Redgate's products.Details
- Redgate Monitor prior to 14.0.50 contains a vulnerability that allows non-administrator users to view and access all alerts, ignoring the established access controls. Details
2024
- Redgate Monitor prior to version 14.0.8 is susceptable to CVE-2024-35255, allowing an attacker with local access to the system hosting the Redgate Monitor Base Monitor to read any file on the file system with SYSTEM access permissions. Details
2023
- SQL Monitor versions 12.0.0 to 13.0.21 (inclusive) contain a vulnerability that can result in a Denial of Service attack against its Web Service when hosted using SQL Monitor's built-in web server (CVE-2023-38180). Details
- SQL Monitor prior to version 12.1.54 contains vulnerabilities allowing low-privileged users to perform actions their permissions should not allow, and when using Active Directory (LDAP) authentication, allows low-privileged users to elevate their permissions to a SQL Monitor administrator role (CVE-2022-47542). Details
2021
- CVE-2021-44228 (log4j's "log4shell" vulnerability) did not affect any of Redgate's products. Details
- SQL Monitor versions 9.0.4 to 11.0.18 (inclusive) contain an issue when using Active Directory authorization, whereby some non-administrator users could potentially view servers they were not entitled to according to SQL Monitor's access control settings. Details
2020
- SQL Monitor versions 7.1.4 to 10.1.5 (inclusive) do not correctly check TLS certificate validity for webhook, email, or Slack alerts when it is disabled for a particular scope, or where VMWare servers are monitored. Details
- SQL Monitor versions 9.0.13 to 9.2.14 (inclusive) have a security vulnerability where a user who is an administrator of the SQL Monitor installation is able to perform a SQL injection attack. Details
2019
- SQL Monitor prior to 9.2.5 allowed users with administrative privleges to retrieve configured SMTP server credentials. Details
2018
- SQL Monitor prior to 8.0.19 was vulnerable to a cross-site scripting attack. Details
- SmartAssembly prior to 6.12.5 was vulnerable to untrusted code execution. Details
- .NET Reflector prior to 10.0.7.774 was vulnerable to untrusted code execution. Details
2015
- SQL Monitor prior to 4.2, or SQL Monitor 3 prior to 3.10, were vulnerable to an authentication bypass and SQL command execution. Details
2013
- SQL Backup versions 7.4 and 7.5 insecurely stored credentials for the SQL Backup Agent service. Details